The triage_summary is always the last line of --json output. It contains everything tailx computed about the log stream, structured for machine consumption.
{
"type": "triage_summary",
"stats": { ... },
"top_groups": [ ... ],
"anomalies": [ ... ],
"hypotheses": [ ... ],
"traces": [ ... ]
}
Processing statistics for the entire run.
{
"events": 47283,
"groups": 92,
"templates": 38,
"drops": 0,
"events_per_sec": 15252.0,
"elapsed_ms": 3100
}
Field Type Description
eventsinteger Total events processed groupsinteger Active pattern groups templatesinteger Drain template clusters dropsinteger Events dropped (arena OOM) events_per_secfloat Processing throughput elapsed_msinteger Wall-clock processing time
Up to 20 pattern groups, ranked by score (severity x frequency x trend). Each group represents a cluster of structurally similar log messages.
{
"exemplar": "Connection refused to <*>",
"count": 34,
"severity": "ERROR",
"trend": "rising",
"service": "payments",
"source_count": 3
}
Field Type Always present Description
exemplarstring yes Representative message for this group countinteger yes Total event count in this group severitystring yes Highest severity seen in the group trendstring yes rising, stable, falling, new, or goneservicestring no Service name, if all events share one source_countinteger no Number of distinct sources (omitted if 1)
Trend Meaning
risingRate is increasing compared to previous window stableRate is approximately constant fallingRate is decreasing newGroup appeared in the current window goneNo events in the current window (previously active)
Active anomaly alerts from the rate detector and CUSUM detector.
{
"kind": "rate_spike",
"score": 0.823,
"observed": 450.0,
"expected": 120.3,
"deviation": 4.2,
"fire_count": 3
}
Field Type Description
kindstring Anomaly type (see table below) scorefloat Severity score, 0.0 to 1.0 observedfloat The actual measured value expectedfloat The baseline expected value deviationfloat Z-score or normalized deviation fire_countinteger Number of times this alert has fired
Kind Source Description
rate_spikeRateDetector Event rate significantly above baseline rate_dropRateDetector Event rate significantly below baseline change_point_upCusumDetector Sustained upward shift in event rate change_point_downCusumDetector Sustained downward shift in event rate latency_spike(reserved) Latency above baseline distribution_shift(reserved) Statistical distribution change cardinality_spike(reserved) Sudden increase in unique values new_pattern_burst(reserved) Burst of previously unseen templates
Causal hypotheses from the correlation engine. Each hypothesis explains an anomaly by linking it to temporally proximate signals.
{
"causes": [
{
"label": "DB latency spike",
"strength": 0.742,
"lag_ms": 5000
},
{
"label": "deploy detected",
"strength": 0.381,
"lag_ms": 15000
}
],
"confidence": 0.742
}
Field Type Description
causes[]array Candidate causes, ordered by strength causes[].labelstring Description of the candidate cause causes[].strengthfloat Cause strength, 0.0 to 1.0 (closer in time + higher magnitude = stronger) causes[].lag_msinteger Time between cause and effect in milliseconds confidencefloat Overall hypothesis confidence (max cause strength)
Reconstructed request flows from explicit trace_id matching.
{
"trace_id": "req-abc-123",
"event_count": 5,
"duration_ms": 245,
"outcome": "failure",
"events": [
{
"severity": "INFO",
"message": "Received POST /api/checkout",
"service": "gateway"
},
{
"severity": "ERROR",
"message": "Connection refused to db-primary:5432",
"service": "payments"
}
]
}
Field Type Description
trace_idstring The trace identifier event_countinteger Number of events in this trace duration_msinteger Time from first to last event outcomestring success, failure, timeout, or unknownevents[]array Events in the trace, in order events[].severitystring Event severity level events[].messagestring Event message events[].servicestring Service name (if present)